Research Article on the Complexity of Impossible Differential Cryptanalysis

Home , Q (cipher), SAFER

Hindawi Security and Communication Networks Volume 2018, Article ID 7393401, 11 pages https://doi.org/10.1155/2018/7393401

Research Article On the Complexity of Impossible Differential Cryptanalysis

Qianqian Yang ,1,2,3 Lei Hu ,1,2,3 Danping Shi,1,2,3 Yosuke Todo,4 and Siwei Sun1,2,3

1 State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China 2Data Assurance and Communication Security Research Center, Chinese Academy of Sciences, Beijing, China 3School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China 4NTT Secure Platform Laboratories, Tokyo, Japan

Correspondence should be addressed to Lei Hu; [email protected]

Received 12 September 2017; Accepted 20 December 2017; Published 17 April 2018

Academic Editor: Jiankun Hu

Copyright © 2018 Qianqian Yang et al. Tis is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

While impossible diferential attack is one of the most well-known and familiar techniques for symmetric-key cryptanalysts, its subtlety and complicacy make the construction and verifcation of such attacks difcult and error-prone. We introduce a new set of notations for impossible diferential analysis. Tese notations lead to unifed formulas for estimation of data complexities of ordinary impossible diferential attacks and attacks employing multiple impossible diferentials. We also identify an interesting point from the new formulas: in most cases, the data complexity is only related to the form of the underlying distinguisher and has nothing to do with how the diferences at the beginning and the end of the distinguisher propagate in the outer rounds. We check the formulas with some examples, and the results are all matching. Since the estimation of the time complexity is fawed in some situations, in this work, we show under which condition the formula is valid and give a simple time complexity estimation for impossible diferential attack which is always achievable.

1. Introduction the formulas for the time complexity estimation given in [18], Impossible diferential attack, introduced by Knudsen [1] and and concrete examples were presented such that the time Biham et al. [2] independently, is one of the most well-known complexities estimated with the formulas given in [19] are not cryptanalytic techniques for symmetric-key cryptanalysts achievable. [3–9]. Generally, in impossible diferential cryptanalysis, Our contribution follows Boura, Naya-Plasencia, Suder, we guess some key bits involved in the outer rounds of and Derbez’s work at ASIACRYPT 2014, FSE 2016, and ESC the target cipher. Ten the guess is rejected if it leads 2017; we investigate further some aspects of the estimation to impossible diferentials at the inner rounds. Despite its of the impossible diferential attack which have not been extensive application in symmetric-key cryptanalysis, errors explored or stated explicitly in previous work. in the analysis are ofen discovered and many papers in the Firstly, we introduce a new set of notations for impos- literature presented subtle faws. Note that the faws typically sible diferential analysis. With these notations, there is arise in the estimation of the time and data complexities no diference between ordinary impossible diferentials and rather than in the distinguisher, similar to searching dif- multiple impossible diferentials. Under some reasonable ferential and linear characteristic [10–13], the methodology assumptions (the same assumptions were made implicitly in of searching for impossible diferential is fairly mature, and [18, 19]), we modify the formula in [18] for calculating the automatic tools are available [14–17]. To relieve the difculty data complexity into a form getting rid of the parameters � � of the complexity analysis, Boura et al. presented generic of the number of bit-conditions (the in and out notations complexity analysis formulas along with the development of in [18]) that have to be verifed to follow some specifed new ideas for optimizing impossible diferential cryptanalysis behavior in the outer rounds of a target cipher. Moreover, [18]. However, at FSE 2016, Derbez identifed some faws in in the formulas derived with the new notations, we identify 2 Security and Communication Networks a very interesting and somehow strange point: in most (A) cases, the data complexity is only related to the form of the underlying distinguisher and has nothing to do with how the diferences at the beginning and the end of the distinguisher A propagate in the outer rounds. Tat is, in most cases, the data ０Ｌ = 1 complexity can be completely determined by the underlying impossible diferential distinguisher employed in the attack. A Hence, estimating the data complexity with the new formulas is much more easier and straightforward than that of Figure 1: Te relationship in A, A,and�(A). [18]. Secondly, since Derbez showed concrete examples where Boura et al.’s formula of the time complexity of impossible Note that this notation is diferent from the notation of diferential attack is invalid, we are interested in the condition impossible diferential we typically see in the literature, since under which the estimation of Boura et al. is correct, and in our notation, it is possible that ∃� ∈ A and ∃� ∈ B,such we prove that the time complexity of the key-sieving process that �→�isnotanimpossiblediferential. given by Boura et al. is not only achievable but also optimal Let ID� (A, B) = {(�, �) : � ��,�∈A,� ∈ B},where ID � ID � if the key bits involved in the outer rounds are independent. �� is simply written as if � is clear from the context. UsingtheearlyaborttechniquepresentedbyLuetal.in Ten we have ‖ID(A, B)‖ ≤ ‖A‖+‖B‖,and‖ID(A, B)‖ = [20, 21], we give the optimal result with detailed process. ‖A‖+‖B‖ in the special case for any �∈A and �∈B, Finally, we give a formula to estimate the time complexity ��. It is worth mentioning, with the new notation, of the key-sieving process in the case where the key bits that we can unify ordinary impossible diferentials and involved in the outer rounds are not independent. Te esti- multiple impossible diferentials in impossible diferential mation is not guaranteed to be equal to the complexity of the cryptanalysis. optimal attack as discussed by Derbez in [19], but it is always For example, if 0011 �� 0001, 0011 �� 0010,and achievable. Terefore, the formula serves to give a rough 0011 → 0011,withthenewnotation,wecall(0011, 00∗∗) an estimation of an impossible diferential attack without diving impossible diferential, and ‖ID(0011, 00 ∗ ∗)‖ = log2(2) = 1. into complicated calculations and time-consuming search � algorithms, which should be very useful in fast prototyping Defnition 2. Let A ⊆ F2 ,andthestructure�(A) derived from in cryptanalysis. A is defned to be the set of all �-bit strings �=�0 ⋅⋅⋅��−1 We present a new set of notations for impossible diferen- such that �� ≡0for all �∈{�:∀�∈A,�� =0}.Givenabit tial analysis in Section 2. Section 3 briefy shows impossible �∈F � � (A) �+�(A) = {�⊕� : diferential attacks. In Section 4, we modify the data formula, string 2 , � isdefnedtobetheset �∈�(A)} which is related to a few parameters and unifes multiple . impossible diferential attacks with ordinary impossible dif- A = {0010, 0011, 1010, 1011} �= ferential attacks. In Section 5 we prove that the formula of the For example, if and 0100 time complexity is achievable and optimal with the key bits ,then independent and give a rough estimation formula for the key �(A) bits without independence. At last we conclude the paper in (1) Section 6. = {0000, 0001, 0010, 0011, 1000, 1001, 1010, 1011}

2. Notations and �0100(A) = {0100, 0101, 0110, 0111, 1100, 1101, 1110, 1111}. Recall that, in diferential type of cryptanalysis, if we Let F2 ={0,1}be the fnite feld of two elements. For a set want to get many pairs of data whose diferences are in a set �, its number of elements is denoted by |�|,andlet‖�‖ = A, we typically frst prepare a structure �(A) from which the log2(|�|). Also, for an integer �,let‖�‖ = log2(�). In addition, we use some notations like regular expression needed pairs will be generated. From Figure 1, we can see the A A �(A) to represent a set of bit strings. For example, 1 is equivalent relationship in , ,and . to the set {1}, 0 is equivalent to {0},and0001 is equivalent to {000001, 000011, 000101, 000111},whichisalternatively 3. Impossible Differential Attack denoted by 03∗21, where the subscript tells the number of occurrences of the symbol concerned. In contrast to ordinary diferential attack which relies on diferentials with high probability, impossible diferential � Defnition 1. Let E�(⋅) be a block cipher and �, �∈F2 ;if attack reduces the key space by identifying wrong key guesses � ∀�, ��(� ⊕ �) ⊕ E�(�) =�̸ for all �∈F2 ,wecall(�, �) with the aid of diferentials which never occur. an impossible diferential of E, which is denoted by ��. We show how to convert an impossible diferential dis- � More generally, let A, B ⊆ F2 ;wecall(A, B) an impossible tinguisher into a key-recovery attack in Figure 2. Firstly, we diferential, denoted by A �� B,ifforany�∈A, ∃� ∈ B, need to append some outer rounds (�1 with � rounds and �� ∈B ∃� ∈ A � � (inA, B) � such that ,andforany , ,suchthat 3 with out rounds) around the distinguisher with Δ ��. rounds covering �2. Ten we propagate the diferences in A Security and Communication Networks 3

� A plaintext pairs (�, � ) such that E r 1 ＣＨ (cＣＨ,kＣＨ) �⊕�� ∈�(A), (3) � A � (�) ⊕�(�)∈�(B).

Moreover, there are approximately E2 rΔ ‖A‖ ‖B‖ 2‖�(A)‖+‖�(B)‖−�−1 2 ⋅2 B 2 ⋅ ‖�(A)‖ ‖�(B)‖ 2 ⋅2 (4) =2‖�(A)‖+‖A‖+‖B‖−�−1 E3 rＩＯＮ (cＩＯＮ,kＩＯＮ) � � B pairs satisfying �⊕� ∈ A and �(�) ⊕ �(� )∈B.

� Figure 2: Generic vision of impossible diferential attack. Defnition 3. Apairofplaintexts(�, � ) is (A, B)-efective if � � and only if �⊕� ∈ A and �(�) ⊕ �(� )∈B. and B to both directions in the outer rounds to get A and B, According to the defnitions of A and B,only(A, B)- where A is the set of all diferences having the possibility of efective pairs have the potential to suggest wrong key creating an intermediate diference in A at the beginning of guesses, since it is only possible for such pairs to lead to the A �� B �2,andB is defned similarly. For fxed outer rounds, A and B impossible diferential under wrong key guesses. are not dependent on the involved secret key bits in the outer From the above discussion, we have the following fact. rounds.Actuallytheycanbecomputedbypropagatingthe � (A) diference patterns upwards and downwards according to the Fact 4. From one structure � ,approximately ‖�(A)‖+‖A‖+‖B‖−�−1 diferential distribution table of the components of the cipher. 2 (A, B)-efective pairs can be generated. Now we can identify the involved secret key bits in the outer � rounds. Tese key bits are the secret information we are going For an (A, B)-efective pair (�, � ),theprobabilitythat � to recover in the attack, which we call the targeted key bits. �1(�) ⊕ �1(� )∈A under some random guess of the key Finally,wepreparesomestructures��(A) and encrypt the information involved in �1 canbeestimatedas|A|/|A|= ‖A‖−‖A‖ � plaintexts in ��(A) to get the corresponding ciphertexts. For 2 .Similarly,let(�, � ) be the ciphertexts of the (A, B)- (�, ��) � (A) �⊕�� ∈ A � −1 each pair of plaintexts in � satisfying , efective pair (�, � ). Ten the probability that �3 (�) ⊕ guess the secret key information � ∪� involved in the �−1(��)∈B in out � 3 under some random guess of the key informa- outer rounds. If the partial encryption/decryption of (�, � ) ‖B‖−‖B‖ � tion involved in �3 canbeestimatedas|B|/|B|=2 . and (�(�), �(� )) leads to impossible diferentials, the guess � iscertainlyincorrect.Withthisstrategy,hopefullywecan Fact 5. Te probability that an (A, B)-efective pair (�, � ) � ∪� reject lots of wrong guesses of in out, and the key space leads to an impossible diferential (�, �) ∈ ID(A, B) afer is therefore reduced. To calculate complexity of the attack, partial encryption/decryption with a random key guess is we defne � which is the number of bit-conditions that in ‖A‖ ‖B‖ ‖ID(A,B)‖ have to be verifed to obtain A from A. In other words, the 2 2 2 ‖ID(A,B)‖−‖A‖−‖B‖ ⋅ ⋅ =2 ; (5) diferences A are propagated from A with probability 1 while 2‖A‖ 2‖B‖ 2‖A‖+‖B‖ � the diferential A ← A is verifed with probability 1/2 in . � that is, there are �ID =‖A‖+‖B‖−‖ID(A, B)‖ bit-conditions Similarly, we can get the defnition of out. that need to be verifed for an (A, B)-efective pair to satisfy an impossible diferential in ID(A, B). 4. On the Data Complexity of Impossible Differential Attack Note that �ID =‖A‖−‖A‖+‖B‖−‖B‖ is coincidence � +� �∈A to the notation of in out presented in [18] for any Assuming that we have identifed an impossible diferential and �∈B, ��.Hence,thenotionof� +� is actually A �� B,wepropagateA and B diferentials to both directions in out a special case of our notion �ID. Tis is demonstrated by the A B � (A) to get and . Ten we prepare many structures � by following two concrete examples. � 2‖�(A)‖−1 varying �∈F2 .Foreachstructure��(A),thereare2 � � pairs of plaintexts (�, � ) satisfying �⊕� ∈�(A).Filtering Example 6 (on the bit-conditions). Take the impossible the pairs by the condition that the diferences of ciphertexts diferential attacks on SIMON [22] presented in pairs are in �(B),wecangetapproximately Appendix A.3 in [18] as an example. Te impossible diferential used in the attack and the outer rounds 22‖�(A)‖−1 are redrawn in Figure 3, from which we have =22‖�(A)‖+‖�(B)‖−�−1 (2) A ={0000000000000000 0000000000000001}, B = �−‖�(B)‖ 2 {0000000010000000 0000000000000000}, 4 Security and Communication Networks

L0 R0 L15 R15

<<<8 <<<8 K K & 1 & 16 <<<1 <<<1 8 bit-cond. 2 bit-cond. <<<2 <<<2

L1 R1 L16 R16

<<<8 <<<8 K K & 2 & 17 <<<1 <<<1 7 bit-cond. 5 bit-cond. <<<2 <<<2

L2 R2 L17 R17

<<<8 <<<8 K K & 3 & 18 <<<1 <<<1 5 bit-cond. 7 bit-cond. <<<2 <<<2

L3 R3 L18 R18

<<<8 <<<8 K K & 4 & 19 <<<1 <<<1 2 bit-cond. 8 bit-cond. <<<2 <<<2

L19 R19

(a) (b)

Figure 3: Te initial rounds (a) and the fnal rounds (b) of the attack on SIMON32/64.

A = 000 ∗∗∗0 ∗ 01 ∗∗∗∗∗00∗∗∗∗∗∗1 ∗∗∗∗∗∗0∗ (6) B = 1 ∗∗∗∗∗∗0 ∗ 0 ∗∗∗∗∗∗ ∗01 ∗∗∗∗∗0000 ∗∗∗0

� Terefore, �ID =‖A‖−‖A‖+‖B‖−‖B‖ = 22−0+22−0= 44, For an (A, B)-efective pair (�, � ), we can guess the key � � +� = � � � (�)⊕� (��) �−1(�)⊕ which is the same as [18] where ID is calculated as in out bits involved in 1 and 3 and get 1 1 and 3 (8+7+5+2)+(2+5+7+8)= 44 −1 � � −1 −1 � .Ascanbeseenin � (� ).If(�1(�)⊕�1(� ), � (�)⊕� (� )) ∈ ID(A, B),the � +� =� +⋅⋅⋅+� +� +⋅⋅⋅+� � 3 3 3 Figure 3, in out 0 3 15 18,where � is key guess must be incorrect and therefore can be removed � the number of bit-conditions in th round. from the candidate key space safely. In this case, we say that a key guess is rejected by a set P of plaintext pairs if and only if Example 7 (on the bit-conditions). Take the impossible P � ∪� the guess is rejected by at least one pair in .Let in out be diferential attacks on 13-round CLEFIA-128 [23] presented the target key space, and let P be the set of (A, B)-efective in Section 3.2 of [18], for example. Te impossible dif- pairs generated from the chosen plaintexts. Te goal of an ferentials used in the attack and the outer rounds are impossiblediferentialattackistorejectasmanyaspossible redrawn in Figure 4, from which we have A = 096∗8024, � ∪� keys in in out such that the target key space can be reduced B = 072∗8048, A = 032∗8024‖�0(∗8024)‖∗32,andB = signifcantly. 040∗8016‖�1(08∗8016)‖∗32. Terefore, �ID =‖A‖−‖A‖+ According to Fact 5, the probability that a key guess for � ‖B‖−‖B‖=48−8+48−8=80,whichisthesameas[18], � ∪� is rejected by a given (A, B)-efective pair (�, � )∈P in −� out 2 ID where �ID is calculated as � +� =40+40=80which are is . Terefore, the probability that a guess is not rejected in out −� |P| depictedinFigure4. by P is (1 − 2 ID ) . Security and Communication Networks 5

Δ ＣＨ Δ Y

WK WK1 RK0 0 RK1 RK22 RK23

32 cond. F0 F1 8 cond. F0 F1

RK2 RK3 RK24 RK25

8 cond. F0 F1 32 cond. F0 F1

WK2 WK3

Δ X Δ ＩＯＮ

Figure 4: Te attack on CLEFIA-128.

Terefore, the number of candidates keys in the target key In the frst case, 1 structure �(A) is enough to generate space afer performing the impossible diferential analysis is �−1 (A, B)-efective pairs. Tat is, −� |P| (1 − 2 ID ) |� ∪� | in out . In the literature, we typically regard −� 2�ID −1 ‖�(A)‖+‖A‖+‖B‖−�−1 ‖A‖+‖B‖−‖ID(A,B)‖ (1 − 2 ID ) approximately as � . Consequently, we need 2 ≥2 , (9) approximately namely, ‖�(A)‖≥�+1−‖ID(A, B)‖. Assuming that we need � �(A) �−1 plaintexts from ,then �ID ‖A‖+‖B‖−‖ID(A,B)‖ �−1 =2 =2 (7) � ‖�(B)‖ ‖A‖ ‖B‖ �−1 2 2 ⋅2 �� ⋅ ⋅ ⋅ −1 2 2� 2‖�(A)‖ ⋅2‖�(B)‖ (A, B)-efective pairs to reduce the target key space by log2� (10) bit. =2‖A‖+‖B‖−‖ID(A,B)‖, −1 − � Teorem 8. With the probability ��=�=2log2 ,in � � =2(�+1+‖�(�)‖−‖ID(A,B)‖)/2. other words, to reduce log2 -bitinformationofthespaceofkey from which we can get �−1 candidates, the data complexity is �� ,where Inthesecondcase,1structureisnotenoughtoproduce �−1 � �−1 (A, B)-efective pairs, and we need 2 structures. In this case, we have � �� −1 2� ⋅2‖�(A)‖+‖A‖+‖B‖−�−1 =� =2‖A‖+‖B‖−‖ID(A,B)‖. � � −1 (11) (�+1+‖�(A)‖−‖ID(A,B)‖)/2 � � {2 , ��(A)� ≥�+1−‖ID (A, B)‖ ; (8) = { � � � ‖�(A)‖ �+1−‖ID(A,B)‖ �+1−‖ID(A,B)‖ � � 2 ⋅2 =2 {2 , ��(A)� ≤�+1−‖ID (A, B)‖ . Terefore, we need plaintexts. Fromtheabovetwocases,wecanobtainformula(8).

−2� −2�⋅ � Proof. Wearenowreadytohaveacarefullookatthedata Corollary 9. With the probability ��=� =2 log2 ,in � complexity needed to reduce at least log2� bitofinformation otherwords,toreduce2 ⋅ log2�-bit information of the space of of the space of key candidates by considering two cases. key candidates, the data complexity is �� ,where �−�

� � (�+1+‖�(A)‖−‖ID(A,B)‖)/2 �/2 � � {2 ⋅2 , ��(A)� ≥�+1−‖ID (A, B)‖ +�; �� = { � � (12) �−� �+1−‖ID(A,B)‖ � � � {2 ⋅2 , ��(A)� ≤�+1−‖ID (A, B)‖ +�.

�+1 From Teorem 8, we can get Corollary 9 easily with minimum data complexity is 2 .Obviously,theamountof � thesamemethod.AccordingtoTeorem8,while‖A‖= all data is 2 , which is less than the minimum data complexity ‖B‖=0,namely,foronebit-levelimpossiblediferential,the needed for a feasible impossible diferential attack. 6 Security and Communication Networks

Table 1: Impossible diferential characteristics for SIMON32/64.

Number ID (1) 0000000000000000 0000000000000001 �� 0000000010000000 0000000000000000 (2) 0000000000000000 0000000010000000 �� 0000000010000000 0000000000000000 (3) 0000000000000000 0000000100000000 �� 0000000010000000 0000000000000000 (4) 1000000000000000 0000000000000000 �� 0000000010000000 0000000000000000 (5) 0000000000000000 0000000000000001 �� 0000001000000000 0000000000000000 (6) 0000000000000000 0000000010000000 �� 0000001000000000 0000000000000000 (7) 0000000000000000 0000000100000000 �� 0000001000000000 0000000000000000 (8) 1000000000000000 0000000000000000 �� 0000001000000000 0000000000000000

� � Table 2: Diferential values for in and out. � � 0 in out (1) [08,08,08,�8][08,08,�8,08], [08,�8,08,08], [�8,08,08,08]

(2) [08,08,�8,08][08,08,08,�8], [08,�8,08,08], [�8,08,08,08]

(3) [08,�8,08,08][08,08,08,�8], [08,08,�8,08], [�8,08,08,08]

(4) [�8,08,08,08][08,08,08,�8], [08,�8,08,08], [08,08,�8,08]

Corollary 10. If only using one bit-level impossible diferential, reduce the target key space by approximately log2� bit, the 96+1−3 94 which is ‖A‖=‖B‖=0, then there does not exist a successful data complexity is approximately 2 =2 .Tesedata impossible diferential attack. complexities are in accordance with the results proposed in [18]. In our formulas, the computation of the data complexity for standard impossible diferential analysis and attacks based Example 12 (multiple impossible diferential attack on CLE- on multiple impossible diferentials are unifed. Moreover, FIA-128). In [24], Tsunoo et al. mounted an impossible dif- our formulas reveal some interesting facts which have not ferential attack on CLEFIA [23] by using multiple impossible been spotted previously. Taking formula (8), for example, in diferentials discovered in [29]. Tere are the following two almost all papers [9, 20, 24–28], it is the case that 9-round impossible diferentials in CLEFIA � � ��(A)� ≤�+1− ID A, B . [032,032,032,� ]��[032,032,032,� ], � � ‖ ( )‖ (13) in out (15) [0 ,� ,0 ,0 ]��[0 ,� ,0 ,0 ]. Tisisveryreasonable,sincethecryptanalystscannotprop- 32 in 32 32 32 out 32 32 agate A upwards too much; otherwise �(A) would contain Only considering that there is one active byte in � and � F � in out almost all strings in 2 , which is obviously an unpleasant presented in Table 2, we will show how to use our formula to situation. Terefore, in most cases, the data complexity can determine the data complexity of an impossible diferential be computed from the distinguisher (A, B) directly and has attackbasedonthesediferentials. nothingtodowithhowA/B propagate upwards/downwards. Tis formula ofers an extremely simple procedure for com- FromTable3,wecanseethat puting the data complexity of impossible diferential attack. ‖ID (A, B)‖ = (28 ×28 × 24) ≈ 20.58. Letusshowsomeexamples. log2 (16) Terefore, to reduce the target key space by approximately Example 11 (multiple impossible diferential attack on log2� bit, the minimal number of data complexity is approx- SIMON32/64 and SIMON96/96). In [18], Boura et al. used 128+1−20.58 108.42 imately 2 =2 , which matches the results multiple impossible diferentials to attack SIMON32/64. presented in [18, 24] perfectly. Tere are 8 independent input patterns by one original 11- round impossible diferential 5. On the Time Complexity of Impossible 0000000000000000 0000000000000001 �� Differential Attack (14) 0000000010000000 0000000000000000; Te time complexity of the impossible diferential attack is we can see the detail in Table 1. It is obvious that ‖ID(A, B)‖ = estimated by Boura et al. with the formula log2(4 × 2) = 3. Tus the data complexity is approximately ‖� ∪� ‖ � � � =� � +(�+2 in out )� � 2�+1−‖ID(A,B)‖ ⋅2� =232+1−3 ⋅21 =231 2⋅ � ≈ 2.88− comp � � 2� +� � � to reduce log2 in out (17) �� information of the key candidates space from formula +2‖�‖�� , (12). Similarly, using 8 16-round impossible diferentials, to � Security and Communication Networks 7

Table 3: Impossible diferential characteristics for CLEFIA-128.

Number ID

(1) [032,032,032,[08,08,08,�8]] ��[032,032,032,[08,08,�8,08]]

(2) [032,032,032,[08,08,08,�8]] ��[032,032,032,[08,�8,08,08]]

(3) [032,032,032,[08,08,08,�8]] ��[032,032,032,[�8,08,08,08]]

(4) [032,032,032,[08,08,�8,08]] ��[032,032,032,[08,08,08,�8]]

(5) [032,032,032,[08,08,�8,08]] ��[032,032,032,[08,�8,08,08]]

(6) [032,032,032,[08,08,�8,08]] ��[032,032,032,[�8,08,08,08]]

(7) [032,032,032,[08,�8,08,08]] ��[032,032,032,[08,08,08,�8]]

(8) [032,032,032,[08,�8,08,08]] ��[032,032,032,[08,08,�8,08]]

(9) [032,032,032,[08,�8,08,08]] ��[032,032,032,[�8,08,08,08]]

(10) [032,032,032,[�8,08,08,08]] ��[032,032,032,[08,08,08,�8]]

(11) [032,032,032,[�8,08,08,08]] ��[032,032,032,[08,08,�8,08]]

(12) [032,032,032,[�8,08,08,08]] ��[032,032,032,[08,�8,08,08]]

(13) [032,[08,08,08,�8], 032,032]��[032,[08,08,�8,08], 032,032]

(14) [032,[08,08,08,�8], 032,032]��[032,[08,�8,08,08], 032,032]

(15) [032,[08,08,08,�8], 032,032]��[032,[�8,08,08,08], 032,032]

(16) [032,[08,08,�8,08], 032,032]��[032,[08,08,08,�8], 032,032]

(17) [032,[08,08,�8,08], 032,032]��[032,[08,�8,08,08], 032,032]

(18) [032,[08,08,�8,08], 032,032]��[032,[�8,08,08,08], 032,032]

(19) [032,[08,�8,08,08], 032,032]��[032,[08,08,08,�8], 032,032]

(20) [032,[08,�8,08,08], 032,032]��[032,[08,08,�8,08], 032,032]

(21) [032,[08,�8,08,08], 032,032]��[032,[�8,08,08,08], 032,032]

(22) [032,[08,�8,08,08], 032,032]��[032,[08,08,08,�8], 032,032]

(23) [032,[08,�8,08,08], 032,032]��[032,[08,08,�8,08], 032,032]

(24) [032,[08,�8,08,08], 032,032]��[032,[�8,08,08,08], 032,032]

� � � ∪� =� where � is the amount of needed data for obtaining the with guessed key in out will be performed inevitably ‖� ∪� ‖ � (�, �) � Q pairs, 2 in out is the number of candidate keys, �� is the for those such that is rejected by �.Let 2‖�‖� ratio of the partial encryption to the full encryption, W∗ ={W :� Q , 0≤�≤�−1,0 � �,� is rejected by � is the key candidates needed to exhaustive search, and � is (19) |� ∪� | the full encryption. Te frst term is the cost of generating ≤�≤2 in out −1}. �(A, B)-efective pairs. Te second term corresponds to the ∗ ‖� ∪� ‖ � +� cost of the key-sieving procedure. Finally, the third term is Ten |W | is approximately 2 in out (�/2 in out ). Terefore, thecostofexhaustivesearchforthekeycandidateswhich the time complexity of the key-sieving process is at least are not removed by the key-sieving procedure. Among these ‖� ∪� ‖ � +� � 2 in out (�/2 in out )��, which is optimal. Tat is, the three terms, the second one is the most obscure part. Next, we second term of Boura et al.’s formula is in some sense a focus attention on the second part. So before we go further, minimum estimation of the complexity of the key-sieving we would like to give some comments on it. Note that the process. comments are never meant to be precise, but try to get some In [19], Derbez presented some concrete examples where intuitive understanding. there is no attack whose complexity is as low as Boura et Let Q0,...,Q�−1 be �(A, B)-efective plaintext pairs. al.’s estimation. Consequently, we want to ask the question: ‖� ∪� ‖ We create 2 in out � tuples of the form W�,� =(Q�,�),where under which condition is Boura et al.’s estimation valid? ‖� ∪� ‖ Te following shows that when the key bits are independent 0≤�≤�−1and 0≤�≤2 in out −1.Wearrangethese Boura et al.’s formula is valid and achievable. For the other tuples into � rows as follows: case when the key bits are not independent we give a simple discussion.

W , W ,...,W |� ∪� | . �,0 �,1 �,2 in out −1 (18) 5.1. When the Key Bits Are Independent No matter how we perform the impossible diferential attack, Assumption 13. In order to give a technique to achieve the the partial encryption and decryption of the plaintext pairs Q� optimal time complexity, there are some assumptions in the 8 Security and Communication Networks

P0 For Step 0, the time complexity is

‖Δ �+1‖ 0 ‖�Δ=0‖ ‖��(0)‖−‖��(0)‖ 0 �(2 ×� )×2 �� =�2 � ��. k0 � � (21) S Terefore,thecomplexityofthewholeprocedurewithagiven M permutation � is P1 �−1 � � � � ‖⋃�=0 ��(�)‖−∑�=0 ��(�) �� Figure 5: Example: grey color stands for nibbles with nonzero � (∑2 ��) �� ≈�2 ��, (22) diference. �=0

� � � � where �� = max0≤�≤�−1{‖ ⋃�=0 ��(�)‖−∑�=0 ��(�)} and �� = �−1 � � target cipher. We focus our attention on these ciphers which ∑�=0 ��.Obviously,�� is the ratio of the cost of partial consist of subkey XOR, nonlinear, and linear operations. For encryption to the full encryption. nonlinear layer, it should be composed by S-boxes or bitwise Combining (20) with the early abort technique, ∀�, ‖��(�)‖− AND. In other words, the diference values of nonlinear � ≥0 � = {‖ ⋃� �� ‖−∑� � }= operationshouldbeshowninatablewithlessstorageandwe �(�) .Hence � max0≤�≤�−1 �=0 �(�) �=0 �(�) ∑�−1(‖� ‖−� )=∑�−1(‖� ‖−�)=‖� ∪� ‖−� −� can ignore the time complexity of creating table. Terefore, �=0 �(�) �(�) �=0 � � in out in out. most block ciphers satisfy this assumption. Fact 14. If the involved key bits are independent, then �� = Δ (�+1) ‖� ∪� ‖−� −� Let us assume that �+1 is the th round input set and in out in out. Δ � is the set propagated by Δ �+1 with probability 1. During � thekeyflteringphaseofimpossiblediferentialattack,�� From Fact 14, we know that there is a permutation includes two parts: one involved the value of diference Δ � such that the time complexity of the key-sieving process is andtheotherpartinvolvednodiferencebutneedtogetthese approximately values. Terefore, for target ciphers satisfying our assumption ‖� ∪� ‖ � � 2 in out � � � +� � � (23) � � � � 2 in out �� = �Δ �� − �Δ �+1� , (20) � � � � � � � � � � which is the same as Boura’s formula. Without considering �� = ��Δ=0 ̸ � + ��Δ=0� = �Δ �� + ��Δ=0� . the time complexity of the key schedule, if the target ciphers are under our assumption and the involved key bits are An example is depicted in Figure 5, where ‖�0‖=‖�0[0, 1, 2]+ � [3]‖ = ‖� ‖+‖� ‖ independent, we can conclude that Boura et al.’s formula is 0 �Δ=0 ̸ �Δ=0 . correct. In the following, we present the early abort technique in which the time complexity will achieve the optimal result Example 15 (impossible diferential attack on a toy cipher). if the involved key bits are independent. Assuming that Let us consider the toy block cipher � used by Derbez in [19] � � there are outer rounds, let � denote the involved key as an example which is defned as follows: bits and let �� denote the number of bit-conditions. Given �(A, B) Q ,...,Q Q ∈ � -efective plaintext pairs 0 �−1,foreach �=� ∘ MC ∘ SR ∘ SB ∘ AK, (24) {Q0,...,Q�−1}, completes the following steps: � where � is a 128-bit block cipher and where AK, SB, W(0) ={(Q,�� ): � (i) Step 0: derive �(�) the �(0) bits of SR, and MC, respectively, are the AddRoundKey, SubBytes, (0) conditions are verifed} by table look-up. |� |≈ ShrifRows, and MixColumns operations from the AES: ‖��(0)‖−��(0) 2 . In detail, at frst guess the value of Δ �(0) and decrypt the corresponding plaintext pairs par- (i) AddRoundKey (AK): XORing the state with round tially to calculate the output diference afer nonlinear key; operation, then get the value of �Δ=0 ̸ by table look-up (ii) SubBytes (SB): nonlinearity transformation using 8- technique and fnally guess the value of ��Δ=0 to get bit to 8-bit invertible S-Box; W(0) . (iii) ShifRows (SR): permutation with cyclic shif of each (1) � � row to the lef; (ii) Step 1: derive W ={(Q,��(0) ∪��(1)): the ��(1) bits of conditions are verifed} by table (iv) MixColumns (MC): linearity transformation to mix (1) ‖� ∪�� ‖−� −� 4×4 look-up. |� |≈2 �(0) �(1) �(0) �(1) . all the column by invertible matrix. (iii) ⋅⋅⋅ Assume that there is an impossible diferential (A, B) � (�−1) �−1 � over � where A has one active byte. As shown in Figure 6, (iv) Step �−1: derive W ={(Q, ⋃�=0 ��(�)):the � } appending one round on the top of the distinguisher we give �(�−1) bits of conditions are verifed by table look- an impossible diferential cryptanalysis. Te bit-condition � (�−1) ‖⋃�−1 �� ‖−∑�−1 � in up. |� |≈2 �=0 �(�) �=0 �(�) . is 24 and there are 32 key bits. In the case that the key bits Security and Communication Networks 9

０Ｌ = 2−24 (A)=A A B = B =(B) 0 5  P AK SB SR MC E C 10 15

Figure 6: Impossible diferential attack against the toy cipher �.

‖� ∪� ‖=72+72− are independent, we give the time complexity of the attack as number of information key bits is in out follows: 22 = 122 and for each round the bit-conditions are �1 =32, � =8� =8 � =32 8 2 , 12 ,and 13 .Becausethekeybitsarenot A 2 � (i) Step 1: guess ;thereare values. For each value of independent, we should calculate 2 � by steps, which could A, decrypt pairs to calculate the diference value afer ‖� ∪� ‖−� −� not calculate by the formula 2 in out in out . SB operation. Tus the input diference and output

diference of S-Box are both known in nibbles 0, 5, �� Te process to calculate 2 is as follows: 10, and 15 for each pair. (i) Step 0: guess the subkeys of the frst round, ‖��(0)‖= (ii) Step 2: by table look-up four times, get the values of ‖� ‖=64 � =� =32 |�(0)|≈ �0, �5, �10,and�15 in turn. 1 and �(0) 1 ;thus ‖� ‖−� 64−32 32 2 �(0) �(0) =2 =2 . Step 1 and Step 2 are the detailed explanation about Step (ii) Step 1: guess the subkeys of the second round, 0. For �(A, B)-efective pairs, the time complexity in above (1) ‖��(1)‖=‖�2‖=8and ��(1) =�2 =8;thus|� |≈ steps is ‖� ∪�� ‖−� −� 64+8−32−8 32 2 �(0) �(1) �(0) �(1) =2 =2 . 8 1 1 ‖� ‖= �×2 × (1+1+1+1) × × �� (iii) Step 2: guess the subkeys of the 13th round, �(2) 16 � (2) (25) ‖�13‖ = 64−22 = 42 and ��(2) =�13 =32;thus|� |≈ 8 � 2 � 2 =�×2 ×� � ‖⋃�=0 ��(�)‖−∑�=0 ��(�) 64+8+42−32−8−32 42 � � 2 =2 =2 .

(iv) Step 3: guess the subkeys of the 12th round, ‖��(3)‖= which is in conformity with formula (23). (3) ‖�12‖=8and ��(3) =�12 =8;thus|� |≈ ‖⋃3 �� ‖−∑3 � 64+8+42+8−32−8−32−8 42 2 �=0 �(�) �=0 �(�) =2 =2 5.2. When the Key Bits Are Not Independent. Te previous . �� (�) 42 section shows in some sense that the estimation of Boura Te above steps show 2 = max0≤�≤3{|� |} = 2 which is not only achievable but also optimal when the key bits ‖� ∪� ‖−� −� � is equal to 2 in out in out ;thus2 =1.Tekeypointisthat involved are independent. in Step 2 ‖��(2)‖=‖�13‖=42≥�13 =32,itdoesnotgenerate Inthefollowing,wegiveaformulatoestimatethe ‖� ∪� ‖−� −� greater value than 2 in out in out , and the time complexity complexity of the key-sieving process which is always valid ‖� ∪� ‖ � +� � regardless whether the involved key bits are independent or of the key-sieving process is 1×2 in out (�/2 in out )��. not To trade-of the data complexity and the time complexity, choosing � = 2.6, the time complexity is � ‖� ∪� ‖ � � 2 ×2 in out � � . � +� � � (26) ‖� ∪� ‖ � � ‖�‖ 2 in out � � +(�+2 in out )� � +2 �� N � 2� +� � � � in out (27) We show how to determine � by example. 122.07 ≈2 ��

Example 16 (multiple impossible diferential attack on CLE- 108.42 2.6 111.06 80 2.6 82.6 with �� =2 ×2 =2 , �=2 ×2 =2 , FIA-128). From Figure 4 showing the attack on CLEFIA-128 � −2� � −8.75 � = 18/104 �=2 log2 ≈2 by using multiple impossible diferentials, there are 4 outer � ,and ,whichisasaresult � �� presented in [18]. rounds. For in there are 32 bits of 1,32bitsof 0,and 8bitsof��2 ⊕��0 to be guessed. Similarly, for � we �� ⊕�� out�� also need to guess 8 bits of 23 2,32bitsof 24, 6. Conclusion �� ‖� ‖=72 ‖� ‖= and 32 bits of 25. Terefore, in and out 72. Considering the relationship between the subkeys, the Tanks to the new notations, we give a unifed data com- subkeys ��1 and ��24 share22bitsincommon.Tusthe plexity formula for both the ordinary impossible diferential 10 Security and Communication Networks attacks and attacks based on multiple impossible diferentials. in the Advances in Cryptology - CRYPTO 2015, Proceedings of Tis formula not only is more convenient to use, but also 35th Annual Cryptology Conference, pp. 95–115, Santa Barbara, reveals an interesting fact that the data complexity of an CA,USA,August2015. impossible diferential attack can be derived by the mere [8] B. Sun, M. Liu, J. Guo, V. Rijmen, and R. Li, “Provable security knowledge of the underlying impossible diferential distin- evaluation of structures against impossible diferential and zero guisher in most cases. Moreover, we show under which correlation linear cryptanalysis,” in Advances in Cryptology - condition Boura et al.’s formula is valid and give a simple EUROCRYPT 2016, Proceedings of the 35th Annual International time complexity estimation for impossible diferential attack Conference on the Teory and Applications of Cryptographic which is always achievable. We believe that these results Techniques, pp. 196–213, Springer, Vienna, Austria, May 2016. make the evaluation of the impossible diferential attack more [9] S. Bing, L. Ruilin, M. Wang, L. Ping, and L. Chao, “Impossible straightforward and reliable. diferential cryptanalysis of CLEFIA,” Cryptology ePrint Archive, vol. 151, 2008. [10]N.Mouha,Q.Wang,D.Gu,andB.Preneel,“Diferentialand Conflicts of Interest linear cryptanalysis using mixed-integer linear programming,” in Information Security and Cryptology, Proceedings of the Te authors declare that there are no conficts of interest 7th International Conference, Inscrypt 2011, pp. 57–76, Beijing, regarding the publication of this paper. China, November 2011. [11] W. Shengbao and W. Mingsheng, “Security evaluation against Acknowledgments diferential cryptanalysis for block cipher structures,” Cryptol- ogy ePrint Archive, vol. 551, 2011. Te work of this paper was supported by the National Natural [12] S. Sun, L. Hu, P.Wang, K. Qiao, X. Ma, and L. Song, “Automatic Science Foundation of China (Grants 61732021, 61472417, security evaluation and (related-key) diferential characteristic 61772519, 61472415, and 61402469), the Fundamental Teory search: Application to simon, present, lblock, DES(L) and other and Cutting Edge Technology Research Program of Institute bit-oriented block ciphers,” in Advances in Cryptology - ASI- of Information Engineering, CAS (Grant no. Y7Z0251103), ACRYPT 2014, Proceedings of the 20th International Conference and the State Key Laboratory of Information Security, Chi- on the Teory and Application of Cryptology and Information nese Academy of Sciences. Te work of Siwei Sun is supported Security, pp. 158–178, Kaoshiung, Taiwan, December 2014. by the Youth Innovation Promotion Association of Chinese [13] K. Fu, M. Wang, Y. Guo, S. Sun, and L. Hu, “MILP-based Academy of Sciences and the Institute of Information Engi- automatic search algorithms for diferential and linear trails for neering (Qing-Nian-Zhi-Xing project). speck,” Lecture Notes in Computer Science (including subseries Lecture Notes in Artifcial Intelligence and Lecture Notes in Bioinformatics): Preface,vol.9783,pp.268–288,2016. References [14] J. Kim, S. Hong, J. Sung, S. Lee, J. Lim, and S. Sung, “Impossible diferential cryptanalysis for block cipher structures,” in Cryp- [1] L. Knudsen, “DEAL-a 128-bit block cipher,” Complexity,vol. tology - INDOCRYPT 2003, Proceedings of the 4th International 258, no. 2, 1998. Conference on Cryptology in India, pp. 82–96, New Delhi, India, [2]E.Biham,A.Biryukov,andA.Shamir,“Cryptanalysisof December 2003. skipjack reduced to 31 rounds using impossible diferentials,” [15] Y. Luo, X. Lai, Z. Wu, and G. Gong, “A unifed method for in Advances in Cryptology - EUROCRYPT ’99, Proceedings of fnding impossible diferentials of block cipher structures,” the International Conference on the Teory and Application of Information Sciences,vol.263,pp.211–220,2014. Cryptographic Techniques, pp. 12–23, Prague, Czech Republic, [16] Y. Sasaki and Y. Todo, “New impossible diferential search tool May 1999. from design and cryptanalysis aspects - revealing structural [3]L.Wen,M.-Q.Wang,andJ.-Y.Zhao,“Related-keyimpossible properties of several ciphers,” in Advances in Cryptology - diferential attack on reduced-round LBlock,” Journal of Com- EUROCRYPT 2017, Proceedings of the 36th Annual International puter Science and Technology,vol.29,no.1,pp.165–176,2014. Conference on the Teory and Applications of Cryptographic [4]J.Zhao,M.Wang,J.Chen,andY.Zheng,“Newimpossible Techniques, pp. 185–215, Paris, France, April 2017. diferential attack on SAFER block cipher family,” IEICE Trans- [17] C. Tingting, J. Keting, F. Kai, C. Shiyao, and W. Meiqin, actions on Fundamentals of Electronics, Communications and “New automatic search tool for impossible diferentials and Computer Sciences,vol.E98A,no.3,pp.843–852,2015. zero-correlation linear approximations,”Tech. Rep., Cryptology [5] Y. Todo, “Impossible diferential attack against 14-round ePrint Archive, 2016, http://eprint.iacr.org/2016/689. Piccolo-80 without relying on full code book,” IEICE Trans- [18] C. Boura, M. Naya-Plasencia, and V. Suder, “Scrutinizing actions on Fundamentals of Electronics, Communications and and Improving Impossible Diferential Attacks: Applications to Computer Sciences,vol.E99A,no.1,pp.154–157,2016. CLEFIA, Camellia, LBlock and Simon,” in Advances in Cryptol- [6] K. Kondo, Y. Sasaki, Y. Todo, and T. Iwata, “Analyzing key ogy - ASIACRYPT 2014, Proceedings of the 20th International schedule of SIMON: Iterative key diferences and application to Conference on the Teory and Application of Cryptology and related-key impossible diferentials,”in Advances in Information Information Security, Part I, pp. 179–199, Kaoshiung, Taiwan, and Computer Security, Proceedings of the 12th International December 2014. Workshop on Security, IWSEC 2017, pp. 141–158, Hiroshima, [19] P. Derbez, “Note on impossible diferential attacks,” in Fast Japan, August 2017. Sofware Encryption, Proceedings of the 23rd International Con- [7] B. Sun, Z. Liu, V. Rijmen et al., “Links among impossible ference, FSE 2016,vol.9783,pp.416–427,Bochum,Germany, diferential, integral and zero correlation linear cryptanalysis,” March 2016. Security and Communication Networks 11

[20] J. Lu, O. Dunkelman, N. Keller, and J. Kim, “New impossible diferential attacks on AES,” in Progress in Cryptology - INDOCRYPT 2008, Proceedings of the 9th International Con- ference on Cryptology in India, pp. 279–293, Kharagpur, India, December 2008. [21] J. Lu, J. Kim, N. Keller, and O. Dunkelman, “Improving the efciency of impossible diferential cryptanalysis of reduced camellia and MISTY1,” in Topics in Cryptology - CT-RSA 2008, Proceedings of Te Cryptographers’ Track at the RSA Conference 2008,vol.4964,pp.370–386,SanFrancisco,CA,USA,April 2008. [22] R. Beaulieu, S. Treatman-Clark, D. Shors, B. Weeks, J. Smith, and L. Wingers, “Te SIMON and SPECK families of lightweight block ciphers,” IACR Cryptology ePrint Archive,vol. 404, 2013. [23]T.Shirai,A.Toru,K.Shibutani,andI.Tetsu,“Te128-bit blockcipher CLEFIA (extended abstract),” in Fast Sofware Encryption, Proceedings of the 14th International Workshop, FSE 2007,pp.181–195,Luxembourg,2007. [24] Y. Tsunoo, E. Tsujihara, M. Shigeri, T. Suzaki, and T. Kawabata, “Cryptanalysis of CLEFIA using multiple impossible diferentials,” in Proceedings of the 2008 International Symposium on Information Teory and its Applications, ISITA2008,6,1pages, Auckland, New Zealand, December 2008. [25] S. Siwei and D. Gerault, “Pascal Lafourcade, Qianqian Yang, Yosuke Todo, Kexin Qiao, and Lei Hu. Analysis of aes, skinny, and others with constraint programming,” IACR Trans. Sym- metric Cryptol,vol.2017,no.1,pp.281–306,2017. [26]Y.Liu,L.Li,D.Guetal.,“Newobservationsonimpossible diferential cryptanalysis of reduced-round camellia,” in Fast Sofware Encryption, Proceedings of the 19th International Work- shop, FSE 2012, pp. 90–109, Washington, DC, USA, March 2012. [27] B. Bahrak and M. R. Aref, “Impossible diferential attack on seven-round AES-128,” IET Information Security,vol.2,no.2, pp.28–32,2008. [28] J. Chen, Y. Futa, A. Miyaji, and C. Su, “Improving impossible diferential cryptanalysis with concrete investigation of key scheduling algorithm and its application to lblock,” in Proceed- ings of the 8th International Conference, NSS 2014,pp.184–197, Xi’an, China, October 2014. [29] K. Nyberg, T. Etsuko, S. Maki, and S. Teruo, “Impossible diferential cryptanalysis of CLEFIA,” in Fast Sofware Encryp- tion, Proceedings of the 15th International Workshop, FSE 2008, Lausanne, Switzerland, February 2008. International Journal of Rotating Advances in Machinery Multimedia

Journal of The Scientifc Journal of Engineering World Journal Sensors Hindawi Hindawi Publishing Corporation Hindawi Hindawi Hindawi www.hindawi.com Volume 2018 http://www.hindawi.comwww.hindawi.com Volume 20182013 www.hindawi.com Volume 2018 www.hindawi.com Volume 2018 www.hindawi.com Volume 2018

Journal of Control Science and Engineering

Advances in Civil Engineering Hindawi Hindawi www.hindawi.com Volume 2018 www.hindawi.com Volume 2018

Submit your manuscripts at www.hindawi.com

Journal of Journal of Electrical and Computer Robotics Engineering Hindawi Hindawi www.hindawi.com Volume 2018 www.hindawi.com Volume 2018

VLSI Design Advances in OptoElectronics International Journal of Modelling & International Journal of Simulation Aerospace Navigation and in Engineering Observation Engineering

Hindawi Hindawi Hindawi Hindawi Volume 2018 www.hindawi.com Volume 2018 www.hindawi.com Volume 2018 Volume 2018 Hindawi www.hindawi.com www.hindawi.com www.hindawi.com Volume 2018

International Journal of International Journal of Antennas and Active and Passive Advances in Chemical Engineering Propagation Electronic Components Shock and Vibration Acoustics and Vibration

Hindawi Hindawi Hindawi Hindawi Hindawi www.hindawi.com Volume 2018 www.hindawi.com Volume 2018 www.hindawi.com Volume 2018 www.hindawi.com Volume 2018 www.hindawi.com Volume 2018